Dear Gerv,
Given that some of these are BR requirements, why were these controls not in
place already?
==> Some of these controls are already in place (such as the field CN and
Subject Alternative Name that does not contain a private IP address).
In addition to that NDCA has implemented a proce
Hello,
the 2 CA certificates signed by Certinomis has been retained till a full
successful webtrust audit.
On end of June the audit report form PwC was available but with still some
minor issues. I asked StartCom to correct them.
On July 14th the audit report and the policy were updated and pu
Hi, this is my reply in the bugzilla
Hi all,
what Fanck is saying is true and we haven´t started to issue any cert using
this new path.
Regarding the info that is in this bug I´m really shocked because the
majority of them are revoked and don´t understand why have been included
here.
For th
On 03/08/2017 10:47, Inigo Barreira via dev-security-policy wrote> 1.
The un-revoked test certificates are those pre-sign ones with uncompleted
> ctlog. So they are not completed certificates.
> https://crt.sh/?opt=cablint&id=134843670
> https://crt.sh/?opt=cablint&id=134843674
> https://crt.sh/?op
1. It is well established that logging pre-certs constitutes "issuance" for
purposes of policy compliance. If you wouldn't issue it, don't log it. Not
difficult. And this isn't new.
2. When a new path comes into existence in the Web PKI you don't need to
explicitly "use" it as a CA, the Relying
We´re revoking all those unrevoked certs to avoid any more problems.
Regarding the pre-certs, yes, I was aware of the discussion. As Gerv says
there´s a binding statement of "intent" ... the problem with these is that
we generated the pre-certs and logged in the CT log, where crt.sh looks or
monit
Hi Jeremy,
Will the certificates being issued for Symantec starting December 1st be
issued under the existing DC roots, or under new roots?
Alex
On Wed, Aug 2, 2017 at 5:12 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi everyone,
>
>
>
> Today, Di
From RFC6962:
The signature on the TBSCertificate indicates the certificate
authority's intent to issue a certificate. This intent is considered
binding (i.e., misissuance of the Precertificate is considered equal
to misissuance of the final certificate).
I don't think this text could be any mor
That would be fine. Also, we have given Intesa Sanpaolo a scheduled
revocation date of 15 August 2017, and I'm waiting to hear back.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Nick Lamb via dev-security
Nick and Mozilla Community,
Here is the response from Intesa Sanpaolo concerning the disruption that
revocation will cause to their banking operations:
Good Evening Ben,
About the problem with the certificate you recently notified us, I
confirm you that we have replaced the certificates t
If I'm reading this correctly, these certificates are for internal
services, not publicly accessible. Could they add their intermediate
directly to these trust stores, allowing you to revoke it?
Failing that, it sounds like OneCRL would be an appropriate remedy.
Alex
On Thu, Aug 3, 2017 at 10:38
There are over 300 publicly visible servers, according to Censys.IO.
From: Alex Gaynor [mailto:agay...@mozilla.com]
Sent: Thursday, August 3, 2017 8:42 AM
To: Ben Wilson
Cc: Nick Lamb ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Certificate with invalid dnsName issued from Balt
Ouch. Thanks for clarifying.
Alex
On Thu, Aug 3, 2017 at 10:46 AM, Ben Wilson wrote:
> There are over 300 publicly visible servers, according to Censys.IO.
>
>
>
> *From:* Alex Gaynor [mailto:agay...@mozilla.com]
> *Sent:* Thursday, August 3, 2017 8:42 AM
> *To:* Ben Wilson
> *Cc:* Nick Lamb ;
> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy
> wrote:
>
> For those which are not revoked are due to use different curves (P-384,
> P-521) that have been discussed in the mozilla m.d.s.p as well as the CAB
> Forum and there´s no conclusion yet, but in any case we´re not al
Thanks Jonathan
Yes, I answered after just looking quickly about the main issues not focusing
on the different sizes, etc. As you can see in the post, we have revoked all of
them.
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: Jonathan Rudenberg [mailto:
All,
I have conflicting opinions about this situation:
On the one hand, I want to see better behavior, and am inclinded to add these
two intermediate certs to OneCRL, and tell StartCom and Certinomis to start
over and do things right.
On the other hand, I'm not convinced yet that the issued no
> On Aug 3, 2017, at 12:26, Kathleen Wilson via dev-security-policy
> wrote:
>
> All,
>
> I have conflicting opinions about this situation:
>
> On the one hand, I want to see better behavior, and am inclinded to add these
> two intermediate certs to OneCRL, and tell StartCom and Certinomis t
On Wednesday, August 2, 2017 at 6:44:51 PM UTC-7, Peter Bowen wrote:
> On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy
> wrote:
> > Today, DigiCert and Symantec announced that DigiCert is acquiring the
> > Symantec CA assets, including the infrastructure, personnel, roots, an
On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote:
> Even absent the BR-violating certificates and disclosure timeline, I believe
> this cross-sign is problematic because it appears to circumvent the
> prerequisites and process described in
> https://bugzilla.mozilla.org/
I think it's reasonable to consider mistakes in StartCom's new PKI of this
nature to be a part of "continuing pattern of behavior" from their previous
PKI, and not something which should be considered in isolation. In that
context, I'm not sure comparisons with other CAs which were "first time
offe
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of
> Jeremy Rowley via dev-security-policy
> Sent: Wednesday, August 2, 2017 10:54 PM
> To: Peter Kurrasch ; mozilla-dev-security-policy
>
> Su
On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via
dev-security-policy wrote:
> On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote:
> > Even absent the BR-violating certificates and disclosure timeline, I
> > believe this cross-sign is problematic because it appe
I believe all of the non expired CAs listed are in scope.
> On Aug 2, 2017, at 7:44 PM, Peter Bowen wrote:
>
> On Wed, Aug 2, 2017 at 2:12 PM, Jeremy Rowley via dev-security-policy
> wrote:
>> Today, DigiCert and Symantec announced that DigiCert is acquiring the
>> Symantec CA assets, including
On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote:
> I also think we should remove the old WoSign root certs from NSS.
>
> Reference:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
> ~~
> Mozilla currently recommends not trusting any certificates issued by this CA
On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote:
> I would really like to see that they have at least opened a bug to
> request the inclusion of that CA before it's cross-signed.
Here's StartCom's current root inclusion request:
https://bugzilla.mozilla.org/show_bug.cgi?id=1381
On Friday, August 4, 2017 at 8:02:16 AM UTC+9, Kathleen Wilson wrote:
> On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote:
> > I would really like to see that they have at least opened a bug to
> > request the inclusion of that CA before it's cross-signed.
>
> Here's StartCom's c
On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote:
> I do hope you can clarify whether remediations apply to keys operated by
> organizations, or whether they apply to the organization themselves.
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832
says: "StartCom may apply for
On 02/08/2017 23:12, Jeremy Rowley wrote:
Hi everyone,
Today, DigiCert and Symantec announced that DigiCert is acquiring the
Symantec CA assets, including the infrastructure, personnel, roots, and
platforms. At the same time, DigiCert signed a Sub CA agreement wherein we
will validate and
On Thu, Aug 03, 2017 at 02:38:33PM +, Ben Wilson via dev-security-policy
wrote:
> Here is the response from Intesa Sanpaolo concerning the disruption that
> revocation will cause to their banking operations:
[...]
> Concerning the CA revocation, first of all, I want to underline that for us
Hi Doug,
We are confident in our ability to hit the deadlines set by both Mozilla and
Google. Our understanding is that all new validations will be done by DigiCert
on Dec 1, 2017. We plan to start re-validating information as soon as
practical under the Sub CA agreement. Our mutual goal is to
We aren't sure at this point. DigiCert already runs two (almost three) logs.
Symantec runs two logs. Although CT plans are still under discussion, I
don't think the ecosystem needs four CT logs operated by a single CA.
Regardless, we'll do whatever is best to support CT and the DigiCert and
Symant
On Thu, Aug 03, 2017 at 05:27:03PM -0700, Kathleen Wilson via
dev-security-policy wrote:
> Along this line of discussion, I have not felt comfortable with StartCom's
> current root inclusion request (bug #1381406), because Hanno raised a
> concern about the private key used by the new root is also
Hey Peter,
I think the Mozilla and Google plans both stand as-is, although probably need
an updated based on this announcement. I'm hoping that the high-level concepts
remain unchanged:
- Migrate to a new infrastructure
- Audit the migration and performance to ensure complianc
On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via
dev-security-policy wrote:
> However, I think it is fine for Certinomis to cross-sign with new StartCom
> subCA certs, as long as Certinomis ensures that Mozilla's Root Store
> Policy is being followed.
... which they didn't. So there
On Thu, Aug 03, 2017 at 11:20:19AM +, Inigo Barreira via
dev-security-policy wrote:
> We´re revoking all those unrevoked certs to avoid any more problems.
Revoking problematic certificates doesn't avoid any problems. The problems
have already been created.
> Regarding the pre-certs, yes, I
On Thu, Aug 03, 2017 at 08:47:17AM +, Inigo Barreira via
dev-security-policy wrote:
> And what I don´t understand are those comments of "very sloppy isuance
> practices" , "many non-BR compliants", "specially given the historic issues
> with StartCom" and consider them very unfair. These are s
On 8/3/17 5:27 PM, Kathleen Wilson via dev-security-policy wrote:
> On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote:
> In bug #1311832 there is a note about cross-signing:
> "[1] The new (replacement) root certificates may be cross-signed by the
> Affected Roots. However, the Af
I agree with the high-level concepts, although I would probably like to add something about "being good stewards of technologies that play a critical role in the global economy." (Feel free to use your own words!)
38 matches
Mail list logo